You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2003/03/11 17:29:47 UTC
DO NOT REPLY [Bug 17884] New: -
Multiple DIGEST authentication attempts with same credentials
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884
Multiple DIGEST authentication attempts with same credentials
Summary: Multiple DIGEST authentication attempts with same
credentials
Product: Commons
Version: 1.0 Alpha
Platform: All
OS/Version: Other
Status: NEW
Severity: Major
Priority: Other
Component: HttpClient
AssignedTo: commons-httpclient-dev@jakarta.apache.org
ReportedBy: olegk@apache.org
HttpMethodBase's processAuthenticationResponse uses a set of realms to which
attempts to authenticate have already been made. The elements of the set are a
concatenation of the requested path and the value of the Authentication response
header.
For digest authentication this response header contains a nonce value, which is
uniquely generated by the server each time a 401 response is made. This makes it
impossible to recognize that authentication against this realm has been
attempted before and so all 100 attempts are made before returning. The nonce
should probably not be used in the realmsUsed element
Reported by Rob Owen <Ro...@sas.com>